This page provides instructions for adding HA VPN gateways to your existing HA VPN over Cloud Interconnect deployment.
HA VPN over Cloud Interconnect lets you encrypt the traffic that traverses your Dedicated Interconnect or Partner Interconnect connections. Learn how to deploy HA VPN over Cloud Interconnect.
You might need to add HA VPN tunnels to your HA VPN over Cloud Interconnect deployment after you have increased the capacity of your VLAN attachments. Another scenario for adding tunnels is when your Cloud VPN monitoring alerts have detected that your existing VPN tunnels have exceeded the recommended 50% utilization threshold. This threshold ensures that you have sufficient capacity for tunnel failover in the event of VLAN attachment failure.
To increase the capacity in your HA VPN over Cloud Interconnect deployment, you must add HA VPN tunnels. Use the same procedures that you would normally use to add an HA VPN tunnel between an existing HA VPN gateway and an external peer VPN gateway. For more information, see Add a tunnel from an HA VPN gateway to a peer VPN gateway.
You only need to add one or more HA VPN gateways if all existing HA VPN gateway interfaces are already connected to all available peer VPN gateway interfaces. As an alternative, you can also add one or more peer VPN gateways to your on-premises network.
You can only associate HA VPN gateways with encrypted VLAN attachments by using the Google Cloud CLI or the HA VPN API. You can't perform this action with the Google Cloud console after you complete the initial deployment of HA VPN over Cloud Interconnect.
To create an HA VPN gateway, perform the following steps.
gcloud
Create an HA VPN gateway.
For example, the following command creates an HA VPN gateway and assigns the gateway interfaces to your encrypted VLAN attachments:
gcloud compute vpn-gateways create vpn-gateway-c \ --network NETWORK_NAME \ --region REGION \ --interconnect-attachments \ ATTACHMENT_1,ATTACHMENT_2For the
--interconnect-attachmentsparameter, you list both VLAN attachments. The first VLAN attachment that you list is assigned to interface 0 (if0) of the HA VPN gateway, and the second VLAN attachment is assigned to interface 1 (if1).An example command might look like the following:
gcloud compute vpn-gateways create vpn-gateway-c \ --network network-a \ --region us-central1 \ --interconnect-attachments \ attachment-a-zone1,attachment-a-zone2If you configured the encrypted VLAN attachments to use regional internal IP addresses for your HA VPN gateways, view the gateway's details. Two internal IP addresses from your reserved ranges are automatically assigned to the gateway.
To view the regional internal IP addresses assigned to your HA VPN gateway's interfaces, use the following command:
gcloud compute vpn-gateways describe VPN_GATEWAY_NAME
The output might look similar to the following:
creationTimestamp: '2022-10-14T16:22:31.748-07:00' id: '678310480370225624' kind: compute#vpnGateway labelFingerprint: 2345567= name: vpn-gateway-c network: https://www.googleapis.com/compute/v1/projects/project-id/global/networks/network-a region: https://www.googleapis.com/compute/v1/projects/project-id/regions/us-central1 selfLink: https://www.googleapis.com/compute/v1/projects/project-id/regions/us-central1/vpnGateways/vpn-gateway-c stackType: IPV4_ONLY vpnInterfaces: – id: 0 interconnectAttachment: https://www.googleapis.com/compute/v1/projects/project-id/regions/us-central1/interconnectAttachments/attachment-a-zone1 ipAddress: 192.168.20.3 – id: 1 interconnectAttachment: https://www.googleapis.com/compute/v1/projects/project-id/regions/us-central1/interconnectAttachments/attachment-a-zone2 ipAddress: 192.168.21.3
API
To create the full configuration for an HA VPN gateway, use the API commands in the following sections. All field values used in these sections are example values.
To create an HA VPN gateway, make a POST request
by using the
vpnGateways.insert method:
POST https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/regions/REGION/vpnGateways
{
"name": "vpn-gateway-c",
"network": "https://www.googleapis.com/compute/v1/projects/PROJECT_ID/global/networks/NETWORK_NAME",
"vpnInterfaces": [
{
interconnectAttachment: "https://www.googleapis.com/compute/v1/projects/PROJECT_ID/global/networks/attachment-a-zone1"
},
{
interconnectAttachment: "https://www.googleapis.com/compute/v1/projects/PROJECT_ID/global/networks/attachment-a-zone2"
}
]
}
If you configured the encrypted VLAN attachments to use regional internal IP addresses for your HA VPN gateways, then internal IP addresses from your reserved ranges are automatically assigned to the gateway.
To view the regional internal IP addresses assigned to your
HA VPN gateway, use the
vpnGateways.get method:
GET https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/regions/REGION/vpnGateways/VPN_GATEWAY_NAME
The output might look similar to the following:
{
"kind": "compute#vpnGateway",
"id": "678310480370225624",
"creationTimestamp": "2022-10-14T16:22:31.748-07:00",
"name": "vpn-gateway-c",
"region": "https://www.googleapis.com/compute/v1/projects/project-id/regions/us-central1",
"network": "https://www.googleapis.com/compute/v1/projects/project-id/global/networks/network-a",
"selfLink": "https://www.googleapis.com/compute/v1/projects/project-id/regions/us-central1/vpnGateways/vpngw-test",
"labelFingerprint": "2345567=",
"vpnInterfaces": [
{
"id": 0,
"ipAddress": "192.168.20.3",
"interconnectAttachment": "https://www.googleapis.com/compute/v1/projects/project-id/regions/us-central1/interconnectAttachments/attachment-a-zone1"
},
{
"id": 1,
"ipAddress": "192.168.21.3",
"interconnectAttachment": "https://www.googleapis.com/compute/v1/projects/project-id/regions/us-central1/interconnectAttachments/attachment-a-zone2"
}
],
"stackType": "IPV4_ONLY"
}
What's next?
If you need to add more HA VPN tunnels, see Add a VPN tunnel.
To learn about HA VPN monitoring, see View logs and metrics.